Apple Plays Cat And Mouse With In-App Purchase Hacker

from the what-if-I-change-this-setting dept

Piracy has been considered the bane of game developers for as long as games have existed. Over the years, many methods of fighting piracy or turning those who play for free into paying customers have come and gone. Some methods focused deterring pirates while others instead focused on maximizing profits. One of these profit maximizing endeavors, which recently gained traction with game developers, is the use of micro-transactions -- or as they are often called in the mobile world, "in-app purchases." This method of revenue generation was quickly accepted by many game developers, as it provided a way to distribute the game for free to as many people as possible with the prospect that enough of those free users would then buy in-game items with real money.

Because of this model of doing business, mobile phone producers (mainly Apple) have developed APIs that allow game developers to easily tie their in-game stores to Apple's payment processing and authentication services. While this method is not without its issues, it has been accepted as a relatively secure method of monetizing a game. That is, until one hacker named Alexey V. Borodin figured out a relatively simple way to spoof the purchases of in game items. Using this exploit, Alexey claims that as many as 30,000 transactions have been made since instructions went live.

In a follow up article, The Next Web reports that Apple has begun efforts to prevent the spread of this exploit. These efforts include blocking the IP address of the server Alexey was using, requesting the server be taken down by the Russian hosting company which owned it, sending take down notices to Youtube over videos providing instructions, and getting PayPal involved in shutting down the account Alexey was using to generate donations (a whopping $6.78 was raised according to that report). Apple also included the following statement:

The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.

Even with all these attempts at taking down Alexey's service, it still remains up and running for all willing iPhone users to take advantage of; that is, if those users are willing to risk their privacy and iTunes accounts to use it, something Alexey claims is not an issue.

While this exploit is very troubling on many levels, it really highlights the folly of relying on security through obscurity. Apple had the chance to secure its APIs long before this exploit happened. It has an opportunity to do so now. In fact, Alexy states that he is more than willing to talk about the issue with Apple. Unfortunately, Apple has not contacted him. While I can understand Apple's unwillingness to work directly with someone who openly exploits its services, it would be prudent to use all available options to end this exploit.

One would hope that game developers who feel threatened by this exploit will pressure Apple to fix the security issues in its APIs as well as provide some kind of training in best practices in securing in-app purchases. Of course game developers should also be doing their part to use all available tools to protect the integrity of their games as well -- something all software developers should do from the beginning.

I don't like the way things are heading now. You are being FORCED to be online even if the game can be played offline. Suppose you want to play the game or use the app 10 years from now and the company doesn't exist anymore or doesn't support the piece of software anymore? And the extras you bought online, even if you have the installation files how are you supposed to keep them for posterior use? Oh well.

More on topic, at least Apple didn't let their users information go out in the wild and no customer was affected, only the developers. As more and more of our lives are online, this security issue will get more and more central in the discussions. What amazes me is that the companies should be clear and transparent when there's data being compromised and most of them tend to leave the customers, developers or not, in the shadows and refuse to acknowledge the problem till there's a good amount of irreversible damage. This culture has to change.

Hey Apple, the lawyers say just fix your API. Do you really think Apple hasn't considered this? It may be a case where securing the API may require all the apps that use it to make changes as well. Maybe you should stick to the lawyer-ing and leave app development up to the people that know what they are talking about.

Steam

I recall a similar instance with Valve's Steam. A few hackers had made login sites that were fake to obtain users' passwords and hijack accounts. This being said, the exploit compromises the security of the developers and I will slap anyone using it upside the head. People need to realize that with most iTunes apps, there are almost no 3rd Party publishers in the way. Roughly 7% of a developer's profit on an App is paid to Apple to host. So in this case, if you use the exploit, you are not protesting Apple or being cool for pirating something, you are mostly hurting independent developers trying to scrape a living from it.

I am very glad that Apple is so secure about Apple ID's, your credit card numbers, and they NEVER sell your personal information to advertisers.

Re:

When you realize that the exploit required you to give out your personal information to unknown entities. Being a Steam user, i know exactly how these scams work. I think you would appreciate that for once, the takedown notices have nothing to do with copyright issues and is in the interest of both Apple's customers, and the independent developers that make apps for Macs and iOS devices.

Saw this coming

Re: What happens 10 years from now?

" Suppose you want to play the game or use the app 10 years from now and the company doesn't exist anymore or doesn't support the piece of software anymore?"

I asked myself that about OSX. I used to play the mostly obscure games on what is considered by today "Classic Mac". My games included Marathon (Bungie), Glider Pro (Casedy and Greene), Warcraft (it ran perfectly on Quadra 605). I have to emulate a lot of old Mac stuff now to get the titles I really want to play.

Re: Saw this coming

And now the trolling begins......please no more mention of this folks as it has nothing to do with the article.

The server he was using was Russian....most of the scams I've seen where there is a "Free Game" exploit on Steam had turned out to be Russian and if you participated, your Steam Account got hijacked.

Samsung vs Apple has absolutely nothing to do with it. Apple kept their user clients safe, and are now working on an API to secure the exploit.

Oh, and by the way, what's stopping Alexy from selling your personal information to spammers? That's exactly what's happening to independent developers who work hard to deliver apps to the iTunes store.

So now that I have you back on subject, quit trolling unless you have something relavent to the article to joke about.

My 7 year old racked up nearly $800 (in $99 increments) with Pocket Gems one day before I knew Apple defaults in app purchases to enabled. $800 worth of tiny animal pictures. Apple did courteously reverse the charges, and I'm not saying Apple should police value, but if they don't somebody will.

How come.....

Re: Re: Saw this coming

It is relevant, Wally. The joke was that Apple won't talk directly to this hacker and instead is trying to plug holes in the least efficient way possible. This guy is taking advantage of them, just like they take advantage of their users.

"what's stopping Alexy from selling your personal information to spammers?"
What's stopping Apple from selling your personal information to spammers? I guess I fail to see the point here.

And Apple doesn't sell your info to advertisers? While sort of true, they are more than happy to harvest your info and sell iAds to developers. Same difference.

As for the Samsung comment, Apple doesn't like competing in a straight-forward manner against Samsung (hence patent suits and injunctions), just like it doesn't want to take a straight-forward approach to this dude who is taking advantage of their security flaws.

Re: Steam

"I am very glad that Apple is so secure about Apple ID's, your credit card numbers, and they NEVER sell your personal information to advertisers."

I guess you've NEVER heard about people having charges made to their Apple ID's and credit cards associated with said IDs that they weren't aware of, right?

I only ask it in the form of a question, but I mean it as a general and factual statement. There are tons of reports of people having their Apple accounts hacked and then having trouble getting Apple to even admit there's a problem, which isn't to say Apple representatives weren't helpful in reversing the charges or crediting their accounts (just that Apple isn't acknowledging that there very much is a problem on their end). Which suffice it to say there is, but like all things just because most people don't know about it doesn't mean it isn't happening. The whole "see no evil" quote comes to mind.

In fact, let's just play a game. Let's Google (gasp!) the words "apple account hacked" and then let's see how recent some of the things that will show up are, shall we?

Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards.

A further search will turn up even more related events. Suffice it to say Apple's security isn't up to snuff. And that's not me taking a shot at Apple, that's me stating a fact. The simple thing would be for Apple to review their security and perhaps advise people to be more cautious with their accounts, I'd hate to see another "You're holding it wrong" fiasco. Despite that not having been said, it still went around the web quick, fast and in a hurry and did nothing to help their reputation.

Re:

And do you really think I care if the fix for the app is to update the app to use a new API? The alternative is to not fix and leave the exploit open.

Not something that I want as a customer. Even though at the moment it appears to only be affecting the developers, what’s to say that there isn't something in there that allows the device to be exploited?

And as a developer myself, I would definitely want to change an app with the problem, especially if this was my main source of revenue.

Re: Re:

I think you would appreciate that for once, the takedown notices have nothing to do with copyright issues and is in the interest of both Apple's customers, and the independent developers that make apps for Macs and iOS devices.

Actually I think that's his point, these takedowns have nothing to do with copyright so what right exactly do they have to get them taken down? If they are using the DMCA to get it taken down they obviously have no valid copyright claim to do it by and are abusing the process.

If they are just asking Youtube to get the videos taken down because they want them disappeared and Youtube is taking them down then this really reflects badly on Youtube more than it does Apple. This is a valid security issue that Apple needs to fix, not just try to hide so taking these videos down is the wrong solution.

Re: Re: Steam

Fuck off . You take everything I write as a personal attack towards you and to what end? I mean seriously, you tear everything apart just to critique something? Youre nothing but an angry son-of-a bitch with nothing better to do than critcise an opinion. I have a right to be happy. You're nothing more than an eloquently writting troll.

Re: Re: Re: Saw this coming

"As for the Samsung comment, Apple doesn't like competing in a straight-forward manner against Samsung (hence patent suits and injunctions), just like it doesn't want to take a straight-forward approach to this dude who is taking advantage of their security flaws."

This isn't about competition with Samsung. It's about someone hacking developer Accounts to get free games.

Re: Re: How come.....

Re: Re: Re: Steam

I don't take it as a personal attack, I just find it odd how quick you are to critique other things like Android (and usually with incorrect information) and then you say things about Apple that aren't necessarily correct.

I did however point out that Apple is not necessarily securing people's Apple IDs or credit card information as well as you might believe or as well as you might try and lead others to believe. I then stated that this is something that has been going on for years now, there are tons and tons of discussion boards filled with people who have had issues arise where someone had hacked their account, and despite this going on for years Apple has still done nothing about it for the most part.

Also, wtf. Someone's angry, and it isn't me. Perhaps you should take the time to cool off and realize that people are going to take apart piece by piece things you say when you say things that aren't correct. Is it my fault you tend to state things that aren't correct? No. It is your fault. It is however my duty to correct your incorrect statements, as to prevent others from believing something that is false. That's what we should all do though, correct false statements. If you have a problem with being corrected then perhaps you should go out of your way to make sure you have all the information needed before you say something.

And it might seem like a personal attack on you me doing this, but that's because you're one of the few stating things on Apple and Android articles on a regular basis and doing so with not so up to date or accurate information. (See previous point about getting all the facts and things correct before clicking "Submit".)

And no, I am very much not a troll. If I was a troll I'd just write, "You're wrong, iSheep. Apple sucks." Then I'd disappear from the comments. I don't do that though.

Seriously, don't like being corrected then perhaps you should stop posting or at least stop posting incorrect things. But by all means, be happy all you want. But as someone who knows plenty of people who use Apple products, I don't want them believing statements made by guys like you saying, "Apple and Apple products are SOOOOO secure and nothing bad could ever breach Apple's walled gardens." Shit like that leads to more work for guys like me. And I for one won't have it.

Re: Re: Re: Steam

You want me to link to all the discussions on the topic? Are you too lazy to do a search yourself? I even provided the key words I used and said what the first things I found were. In fact, the entire first page of search related entries is the same thing, and the "oldest" just on that page was from April of this year.

I'm not trying to discredit anything, I'm just pointing out Apple IDs and linked credit cards are not as secure as someone else, Wally, made them out to be. I honestly have no clue because I don't have a legit Apple ID. I made a throwaway account using a throwaway email account one time to get subscribed to a free podcast I wanted that I could at the time only get through iTunes. I DO NOT have a linked credit card to any account anywhere I use online though. If I do, it's a pre-paid card and I add money to it when I need to, the rest of the time it's inactive or only has one cent on it.

Seriously, you guys get all butthurt whenever anyone points out that Apple has problems or has failed in some way. That's your problem not mine. As I said, do the search yourself and read. The information's there, it's not my job to spoon feed it to you.

Re: Re: Steam

"Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

-Anonymous Coward With A Unique Writing Style

You hear that Ninja, two anonymous people, and Sad Mac? It appears that we the "Apple Fanboy Spies" have been caught. I guess we should definitely cover our tracks with something better than to totally unrelated dates and articles from the past two months...especially if the comments are unrelated to ANY Apple discussion boards.

This is the result of me reading your statement word for word. I would've taken the statement as constructive criticism, but the quotation above provides enough information to prove that you're nucking futz.

That' s just a quick handful of links. So you're claiming that those discussions ARE NOT taking place on Apple Support Community boards, is that correct?

Yeah, I'm fucking nuts. /s

You're the one refusing to believe what is clearly being pointed to. I even told you how to find the info and a real quick summary of what is being discussed.

Now, that information is unrelated as it pertains to this article. But it is NOT unrelated to my pointing out that Apple IDs and credit cards aren't being as secured as YOU said they were. I responded to a comment you made. It's up to you to prove that Apple is securing them. Seriously, don't shoot the messenger. Man, you guys seriously have anger issues when someone points out Apple might not be doing as great a job as you think they are.

Here if it makes you feel better. Unrelated info. I'm glad Google is upping the security in Jelly Bean to prevent hackers from installing malware on people's phones. I take care of my stuff and am quite security conscious, but others aren't. If this helps them, more power to Google and the end users. Problems should be fixed and that's been done. Yay for everyone! There. Happy now?

Re:

Imagine if Windows had a security exploit and their solution was to try and censor information about the exploit because fixing the exploit may break some software suits and require them to update. As a Windows customer, I don't care about any of the technical details or the difficulty in fixing the exploit, I want it fixed.

Re: Re: Re: Re: Saw this coming

It is about competition (or lack thereof) with Samsung. Apple wants to lawyer its way around problems. With Samsung, it wants to use the ITC and patent office to stifle competition. With this hacker, instead of confronting the hacker and working out a solution, it wants to pull youtube videos, shutdown websites, and other passive "fixes".

Re: Re:

If my T.V. doesn't work as advertised, do I care about all the technical reasons why it's not working and the cost of fixing it? No, if I buy x and I get y where y < x then, as a customer, I want the problem fixed.

Likewise, when we purchase operating systems, apps, etc... there is a reasonable, implied, expectation that our transactions will be secure and we should be able to expect a reasonable degree of security in the process. How Apple or the T.V. manufacturer manages to deliver what they deliver, all the technical details, is their problem, not mine. Just fix it, OK.

Re: Re: Re: Re: Steam

Re: Re: Re: Re: Re: Saw this coming

You missed my point, I will clarify. The Article above mentions nothing of competition with Samsung. It's about an EXPLOIT in the API, found by a Russian hacker, that gets around a developer's payment validation for in app purchases which Apple doesn't use or own. The developers are making more money with in game purcahses and Apple doesn't care. Apple's main concern is that people are getting ripped off.

The word "Samsung" is nowhere to be found in the article. The subject of Apple's anticompetitive nature isn't even mentioned or brought up.

Re: Re: Re: Re: Steam

Warning noted.

Anonymous Coward With A Unique Writing Style,
Those links you provided have absolutely no similarities to comments on here. Yeah it is being discussed but that doesn't mean the comments there are coppied and rewritten here.

""Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

Think out of the box on that and look what it looks like through other people's eyes before you post. I had interperated "entries" as comments.

Re: Re: Re: Re: Re: Steam

I don't understand what you're saying. So the links I provided have no bearing on what I stated or what you stated, is that correct?

K. Let me put this really simply. You stated Apple makes sure Apple IDs and credit cards are secure. I said basically, "Nuh uh, and there's proof." Which I then presented. You threw a shit fit. You/Sad Mac then went off your rails a bit more.

So you interpreted "entries" to mean "comments", despite the fact that I said this (?):

"In fact, let's just play a game. Let's Google (gasp!) the words "apple account hacked" and then let's see how recent some of the things that will show up are, shall we?

Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

I don't know how you interpreted it incorrectly, but again, that's not my problem. Either way, you stated something that wasn't factually true. I then stated something to correct you, presented proof and you flipped out. Like I said, don't like it... that's fine, but don't get upset when people correct you because that's how life is. People will tell you things you don't want to hear. And stop taking things so personally. I'll correct anyone and I myself have been corrected on this. I usually even say, "Hey, if I'm off on something feel free to correct me." I then thank people who do correct me, I do not flip out like you did.

Now that this has all been cleared up, I look forward to doing this again. But try out what I said, stop stating things as fact before you have all relevant information at hand (and your personal experience, as great and important as it can be, DOES NOT translate to making what you've experience an automatic fact for the rest of the world). That's your problem and I've pointed it out before. I'm not trying to be mean or a jerk.

Re: Re: Re: Steam

Indeed you do! I might suggest, however, that if the comments of others on the internet detracts from your ability to be happy, then perhaps the internet isn't for you. It's a rough-and-tumble place.

Happiness is a choice. It comes from how you relate with the things your encounter in your life, not from what those things actually are. I've known people living hellish lives who were fundamentally happy, and I've known people living blessed and gilded lives who were absolutely miserable.

Re: Re: Re: Re: How come.....

If you were any smart you would have probably said that you were using TOR and the IP addresses that you get are randomized. Though Mike could tell if you are using Tor so that might not always work. But the probability of you getting the same IP address and posting under the same Identicon as someone else is actually quite high, I've posted using Tor before (less than a hand full of times) and noticed someone else who posted with the exact same Identicon, I even checked the hash tag to make sure and they were the same.

Re:

Re: Re: Re: Saw this coming

No, no, no!

Selling info to a third party very is different to using it yourself to deliver adverts for a third party. Very, very different.

The two are crucially different.

When you give information to a party, you know they've got your information. You might choose to give them info A, C, and Z and from this, they can't work out anything about you that you don't want them to.

You might give some other party information C, D, K, and M, and from this it's impossible to work out anything about you that you don't want them to.

However if information A, C, D, K and Z are correlated, it might be possible to work out things about you that you don't want known, and this might be an information that you'd never have given to any single party.

This has huge privacy implications and it's really important that people understand that correlating information given to different parties can form a new set of information that when altogether violates privacy.

Not understandiing this often creates a barrier, not only to protecting one's own privacy, but to recognizing and taking privacy concerns seriously, (which is a barrier to getting broader, legal based protections, because it's hard to get people to see that there is a privacy issue).

People tend to think if you give information casually, there's no problem when that information is correlated, but correlating information makes it more the sum of the fragmented parts. It's crucial that people understand this both to protect their own privacy and so that they can be the kind of informed citizens we need people to be if privacy is to be sufficiently protected legally.

Correlation takes harmless sets of information and associates them in ways that can violate the privacy of the end user.

It's really important to draw a line between using information customers to provide an advert service to other parties, all while sheilding the information itself from the advert buyer, and handing over the information itself to third parties.

The two are very distinct because of the implications of correlating information into a single set.

Re: Re: Re: Re: Re: Re: Saw this coming

You cannot really be this dense.

I know the above article isn't about Samsung. I was however point out that Apple is lawyering this situation and pointing out that they love lawyering everything they do. I pointed out that the Samsung is a prominent situation in which they lawyer the shit out of shit.

Re: Re: Re: Re: Re: Re: Re: Steam

Re: Re: Re: Steam

Honestly, I only meant that the credit card transactions are secure in that the user usually doesn't have to worry most of the time (admittedly that dies create a false sense of security). Apple fails at security, but to their credit, they really never had to worry about viruses in the pre-OSX days.

Flashback Virus was an interesting case though. I recall Apple being in a huge flurrie of denial about it. A lot of the statistics showed that of the some odd 300,000 computers affected, 90% of them had Windows partitions and got it that way from booting between the two OS's. The users with the partitions assumed that since all these years Apple hadn't gotten viruses on their systems, they wouldn't need an antivirus (oh the arrogance of iSheep). Of course Apple does completely fail at acknowledging security issues. Anyone remember hearing about a PDF exploit that could be used to make iDevices a carrier? Took Apple a full 6 months to update iOS to correct it.

There have been many viruses and WORMs throughout the history of the old MacOS days (pre-OS8).

Re: Re: Re: Re: Saw this coming

My big question is what's stopping the servers that are up in Russia being run by Alexy from gathering the information of those who followed the instructions on the "A,C,K,Z" structure?

The big huge red flag that I saw in this whole exploit is that the servers were in Russia, one of the largest providers of SPAM messages in the world. A similar situation happened on Steam where hackers had offered a free game by logging in using that website (which looked almost exactly like Valve Software's Steam Forum login page). Some of the offers were along the lines of "Get Half-Life 2 completely free" and it had provided instructions on how to exploit the payment system. They provided a link. Several people on my friends list had their accounts hijacked and just for security (and blind curiosity) I went to the website. I didn't log in, but man alive did I see a lot of errors....spelling errors...very obvious spelling errors.

Re: Charges

What's most annoying to me is that when I purchase something on iTunes, and I have a credit card used as a payment, and I get a gift card and use the credits on that, Apple STILL processes the credit card transaction by default without touching the credit stored by the gift card.

Re: Re: Re: Re: Re: Re: Re: Re: Saw this coming

Wait, what US laws require that videos be taken down? There was no copyright infringement. They were videos showing how to get free apps by utilizing an exploit. No different than the millions of videos showing how to root your Android or jailbreak your iPhone, both of which are legal.

Re: Re: Re: Re: Re: Re: Re: Re: Steam

No, he did not fail to specify what the first 6 entries were. It was a reading comprehension fail on your part. In fact, that much was clearly evident by your first flip out and continued others. You even quoted me at one point and what you interpreted from a handful of sentences in no way matched up even remotely to anything I said. But... for those just tuning in, let me quote exactly what I said as it regards the "6 entries".

"In fact, let's just play a game. Let's Google (gasp!) the words "apple account hacked" and then let's see how recent some of the things that will show up are, shall we?

Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

I quite clearly stated, hey let's do a Google search. I then quite clearly stated the words I was and did end up using in the search. I then said let's see what I find/found. I then stated that first 6 entries all had dates and they were all taking place on Apple discussion boards. Now, this is insanely easy to follow.

Why would you assume the 6 entries refer to Techdirt, when I quite clearly said they were on Apple discussion boards? It was a reading fail on your part, possibly brought on by a quick and irrational surge of anger/"stop being a meanie"-ness on your part.

I often go out of my way to be very specific and clear in what I'm saying to avoid having others twist my words around or read things into them that aren't there.

Other reasons include pisspoor passwords, the occasional (and extremely rare) Apple server D-base hacked, not deactivating a device before transferring to a new computer to allow your iDevice onto a new one.

Now I am willing to bet, that the scenario depicted above is the most likely candidate for why users get their accounts hacked.

As for those dates on the commentaries, how many correlate with the length of time Alexy's exploit video was up?

Re: Re: Re: Re: Re: Re: Re: Re: Re: Saw this coming

This wasn't a copyright case at all. Lawyers are hired to protect interests. Comparing this exploit to rooting and Jailbreaking is like comparing apples to oranges. The takedown request over was someone who found the exploit and created a phishing scam out of it harming users. That itself is a legal matter and the use of a lawyer is quite prudent. It's not as if they came in busting down the doors demanding the takedown, and Google wouldn't have complied if it was not without a legitimate reason. The end goal was simply stopping people from falling into a trap.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Saw this coming

"No different than the millions of videos showing how to root your Android or jailbreak your iPhone, both of which are legal."

But the exploit is teaching people how to do something completely illegal. Developers, who work very very hard to create this content, are loosing their money. Apple's hosting fee is 7% of the profit, so they have little to loose.

Also, unlike Jailbreaking and rooting, the exploit requires you to use a server to log into your Apple ID account. That server is in Russia. Alexy set up the server himself. That's not something very many cautious people would risk doing.

Re: Re: Re: Re: Re: Re: Re: Re: How come.....

Actually, Sad Mac and I were the same person. Check the avatars, they should be the same if the same IP address was used. Ninja, and the 2 anonymous cowards are not the same avatars. You're just mad at me still.

Re: Re: Re: Re: Re: How come.....

Re: Re:

I just happen to have Angry Birds. I have uninstalled it and reinstalled it on my iPod. I paid 99¢ for the Eagle feature and it has staid. Apple stores the information on your in-app purchases in your account information much the same way Valve does with Steam.